Re: Shibboleth Use Case Supported?

[Anders Rundgren <anders.rundgren@telia.com>]

Hal,
> We have no explicit requirement for anonyminity. (I can't prevent my
> customer from creating an account called John Q. Public, but I am taking any
> steps to hide the user's identity from the PDP.) If you see explict support
> for anonymity as a requirement, I suggest you propose it.

What I see a need to support is the ability for the system we are in the process
to create, to be able to handle arbitrary credential requirements.  Then it is up to the
"customers" to define such including the Shibboleth use cases. I.e. the B2B-
industry will define their stuff which is likely to be different from the health-care
sector (execept when they are involved in B2B).  Academia have their own
set of requirements and profiles as indicated by the Shibboleth papers.

> > An helpful home-domain server will of couse alert the user if personal
> > infomation is to be given out.  And since the credential 
> > consumer is identified
> > in the first place, you also have a pretty good idea where 
> > this info goes.
> 
> Is this a requirement? How would this work? Is the home-domain server going
> to call my cell phone?

The credential consumer is authenticated and you of course have to trust your own
credential creator for giving you all information.  I.e. it can say: The IRS wants your SSN
etc. Do you agree?  

> > What I have argued about is that S2ML v0.8 requires 
> > configuration of certain
> > low-level protocol pieces as well.  I.e. in spite of 
> > agreement on payload,
> > you must set a lot of partner-specific stuff.
> 
> I just don't see this. It seems to me both schemes require a lot of advance
> knowledge of who your partners are, what your agreements are, what the
> network addresses of various components are, etc. Where is the difference?

In S2ML v0.8 you must also know things like cookie or URL ref.  Push or pull credential.
And you have a really ugly partner clock dependency as well.  That's way below what
I would call a useful system.

> Thank you. I am gratified to know I understand WHAT you want to do, but I
> still don't have a clue as to WHY you want to do it.

To not end-up in the same situation as our Swedish ID-card program.  This credential
identifies you as an individual.  Unfortunately that is useful in just a few places.  And
how are they going to fix that?  With directories?  Gives huge privacy and interoperability problems!
Using X509 ACs?  Is supported by almost none.

The Shibboleth approach makes it possible for different domains that a user is
associated with to have digital relations of various kind. 

Nothing, absolutely Nothing I have seen comes close in flexibility!

Note: a specific credential creator may only know a single credential so you can address
any kind of scenario you want, including S2ML v0.8 use case #1.

Anders